Data Privacy Comparative Guide

• Published date: 12 November 2020
• Subject Matter: Privacy, Technology, Data Protection, Privacy Protection, Security
• Law Firm: S.U.Khan Associates Corporate & Legal Consultants
• Author: Mr Saifullah Khan and Saeed Hasan Khan

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

At present, Pakistan has no specific law relating to data protection. However, in April 2020 the Ministry of Information Technology and Telecommunication released a consultation draft of the Pakistan Personal Data Protection Bill, 2020. After the consultation stage, the draft bill will be presented to Parliament for debate and passage. Once passed by the Parliament, the law will be promulgated by presidential assent. The answers in this Q&A are based on the provisions as currently set out in the draft bill, which are subject to change during the legislative process until the law is finally promulgated.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Banking: Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that a financial institution or any other authorised party must not divulge any information relating to electronic fund transfers, affairs or accounts of its consumers.

Regulation 4.2(i) of the State Bank of Pakistan's Regulations for Payment Card Security requires that card service providers ensure the confidentiality of consumers' data in storage, transmission and processing.

Regulation 2.2.3(c) of the State Bank of Pakistan's Regulations for the Security of Internet Banking requires that customer information not be transferred to an unauthorised storage or access medium.

Telecommunications: Regulation 16 of the Telecom Consumers Protection Regulations, 2009 requires that telecommunications services operators and their employees maintain the confidentiality of consumer information.

Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators and authorised financial institutions include a statement on online privacy, confirming that consumer information obtained as a result of mobile banking is collected, used, disclosed and retained only as committed or agreed.

Specific types of data: The draft bill recognises and provides for separate treatment of 'sensitive personal data' and 'critical personal data'. 'Biometric data' is included within the definition of 'sensitive personal data'. Sensitive personal data can be processed only with the explicit consent of the data subject and only for the following purposes:

• the exercise or performance of any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
• the protection of the vital interests of the data subject or another person;
• the protection of the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
• for medical purposes, where the processing is undertaken by a healthcare professional;
• for the purpose of, or in connection with, any legal proceedings;
• for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
• for the purpose of establishing, exercising or defending legal rights;
• for the administration of justice pursuant to orders of a court of competent jurisdiction; or
• for the exercise of any functions conferred on any person by or under any written law.

'Critical personal data' is left to be classified by the Personal Data Protection Authority of Pakistan, with the approval of the federal government. Under Section 14 of the draft bill, critical personal data cannot be transferred outside Pakistan.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

No.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

Within six months of the entry into force of the draft bill, the federal government will establish the Personal Data Protection Authority of Pakistan. The authority will be responsible for:

• protecting the interests of data subjects and ensuring the protection of personal data;
• preventing the misuse of personal data;
• promoting awareness of data protection; and
• entertaining complaints.

The authority will have all necessary powers to enable it to perform its functions effectively, including the power to decide on complaints and to pass any order. To this end, the authority will be deemed to be a civil court and will enjoy all powers vested in a civil court under the Code of Civil Procedure, 1908. In addition, the authority will have rule-making powers.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Under Section 8 of the draft Bill, the Personal Data Protection Authority of Pakistan will prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Data controllers and data processors must adhere to the standards prescribed by the authority. In terms of compliance and regulatory enforcement, the standards prescribed by the authority will prevail over industry practices. However, it is likely in prescribing the standards, the authority will take cognisance of industry-level best practices.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The draft Pakistan Personal Data Protection Bill, 2020 is not 'entity' driven; rather, it defines and brings under its ambit the 'data controller' and 'data processor', irrespective of their legal form.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

General exemption: Personal data processed by an individual for the purposes of his or her personal, family or household affairs, including recreational purposes, is exempt from the scope of application of the draft bill.

Exemption from specific provisions: Certain processing is exempted from specified provisions of the draft bill, as follows.

Nature of processing	Exempt from'
Critical personal data processed for the prevention or detection of crime or for the purpose of investigations; the apprehension or prosecution of offenders; the assessment or collection of any tax or duty; or any other imposition of a similar nature by the relevant authority.	Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the Personal Data Protection Authority of Pakistan's prescribed standards
Data processed in relation to the physical or mental health of a data subject	Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority's prescribed standards
Data processed to prepare statistics or carry out research	Consent; lawful purpose; provision of written notice by the data controller to the data subject;

...